Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 21. Key Manager service command-line client

The barbican client is the command-line interface (CLI) for the Key Manager service API and its extensions. This chapter documents barbican version 4.0.0.
For help on a specific barbican command, enter: 
$ barbican help COMMAND
Copy to Clipboard Toggle word wrap

21.1. barbican usage
Copy link

usage: barbican [--version] [-v | -q] [--log-file LOG_FILE] [-h] [--debug] [--no-auth] [--os-identity-api-version <identity-api-version>] [--os-auth-url <auth-url>] [--os-username <auth-user-name>] [--os-user-id <auth-user-id>] [--os-password <auth-password>] [--os-user-domain-id <auth-user-domain-id>] [--os-user-domain-name <auth-user-domain-name>] [--os-tenant-name <auth-tenant-name>] [--os-tenant-id <tenant-id>] [--os-project-id <auth-project-id>] [--os-project-name <auth-project-name>] [--os-project-domain-id <auth-project-domain-id>] [--os-project-domain-name <auth-project-domain-name>] [--os-auth-token <auth-token>] [--endpoint <barbican-url>] [--interface <barbican-interface>] [--service-type <barbican-service-type>] [--service-name <barbican-service-name>] [--region-name <barbican-region-name>] [--barbican-api-version <barbican-api-version>] [--insecure] [--os-cacert <ca-certificate>] [--os-cert <certificate>] [--os-key <key>] [--timeout <seconds>]
Copy to Clipboard Toggle word wrap

21.2. barbican optional arguments
Copy link

--version
show program's version number and exit
-v, --verbose
Increase verbosity of output. Can be repeated.
-q, --quiet
Suppress output except warnings and errors.
--log-file LOG_FILE
Specify a file to log output. Disabled by default.
-h, --help
Show help message and exit.
--debug
Show tracebacks on errors.
--no-auth, -N
Do not use authentication.
--os-identity-api-version <identity-api-version>
Specify Identity API version to use. Defaults to env[OS_IDENTITY_API_VERSION] or 3.
--os-auth-url <auth-url>, -A <auth-url>
Defaults to env[OS_AUTH_URL].
--os-username <auth-user-name>, -U <auth-user-name>
Defaults to env[OS_USERNAME].
--os-user-id <auth-user-id>
Defaults to env[OS_USER_ID].
--os-password <auth-password>, -P <auth-password>
Defaults to env[OS_PASSWORD].
--os-user-domain-id <auth-user-domain-id>
Defaults to env[OS_USER_DOMAIN_ID].
--os-user-domain-name <auth-user-domain-name>
Defaults to env[OS_USER_DOMAIN_NAME].
--os-tenant-name <auth-tenant-name>, -T <auth-tenant-name>
Defaults to env[OS_TENANT_NAME].
--os-tenant-id <tenant-id>, -I <tenant-id>
Defaults to env[OS_TENANT_ID].
--os-project-id <auth-project-id>
Another way to specify tenant ID. This option is mutually exclusive with --os-tenant-id. Defaults to env[OS_PROJECT_ID].
--os-project-name <auth-project-name>
Another way to specify tenant name. This option is mutually exclusive with --os-tenant-name. Defaults to env[OS_PROJECT_NAME].
--os-project-domain-id <auth-project-domain-id>
Defaults to env[OS_PROJECT_DOMAIN_ID].
--os-project-domain-name <auth-project-domain-name>
Defaults to env[OS_PROJECT_DOMAIN_NAME].
--os-auth-token <auth-token>
Defaults to env[OS_AUTH_TOKEN].
--endpoint <barbican-url>, -E <barbican-url>
Defaults to env[BARBICAN_ENDPOINT].
--interface <barbican-interface>
Defaults to env[BARBICAN_INTERFACE].
--service-type <barbican-service-type>
Defaults to env[BARBICAN_SERVICE_TYPE].
--service-name <barbican-service-name>
Defaults to env[BARBICAN_SERVICE_NAME].
--region-name <barbican-region-name>
Defaults to env[BARBICAN_REGION_NAME].
--barbican-api-version <barbican-api-version>
Defaults to env[BARBICAN_API_VERSION].
--insecure
Explicitly allow client to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution.
--os-cacert <ca-certificate>
Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT].
--os-cert <certificate>
Defaults to env[OS_CERT].
--os-key <key>
Defaults to env[OS_KEY].
--timeout <seconds>
Set request timeout (in seconds).

21.3. barbican acl delete
Copy link

usage: barbican acl delete [-h] URI
Copy to Clipboard Toggle word wrap
Delete ACLs for a secret or container as identified by its href.

Positional arguments

URI
The URI reference for the secret or container.

Optional arguments

-h, --help
show this help message and exit

21.4. barbican acl get
Copy link

usage: barbican acl get [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] URI
Copy to Clipboard Toggle word wrap
Retrieve ACLs for a secret or container by providing its href.

Positional arguments

URI
The URI reference for the secret or container.

Optional arguments

-h, --help
show this help message and exit

21.5. barbican acl submit
Copy link

usage: barbican acl submit [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--user [USERS]] [--project-access | --no-project-access] [--operation-type {read}] URI
Copy to Clipboard Toggle word wrap
Submit ACL on a secret or container as identified by its href.

Positional arguments

URI
The URI reference for the secret or container.

Optional arguments

-h, --help
show this help message and exit
--user [USERS], -u [USERS]
Keystone userid(s) for ACL.
--project-access
Flag to enable project access behavior.
--no-project-access
Flag to disable project access behavior.
--operation-type {read}, -o {read}
Type of Barbican operation ACL is set for

21.6. barbican acl user add
Copy link

usage: barbican acl user add [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--user [USERS]] [--project-access | --no-project-access] [--operation-type {read}] URI
Copy to Clipboard Toggle word wrap
Add ACL users to a secret or container as identified by its href.

Positional arguments

URI
The URI reference for the secret or container.

Optional arguments

-h, --help
show this help message and exit
--user [USERS], -u [USERS]
Keystone userid(s) for ACL.
--project-access
Flag to enable project access behavior.
--no-project-access
Flag to disable project access behavior.
--operation-type {read}, -o {read}
Type of Barbican operation ACL is set for

21.7. barbican acl user remove
Copy link

usage: barbican acl user remove [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--user [USERS]] [--project-access | --no-project-access] [--operation-type {read}] URI
Copy to Clipboard Toggle word wrap
Remove ACL users from a secret or container as identified by its href.

Positional arguments

URI
The URI reference for the secret or container.

Optional arguments

-h, --help
show this help message and exit
--user [USERS], -u [USERS]
Keystone userid(s) for ACL.
--project-access
Flag to enable project access behavior.
--no-project-access
Flag to disable project access behavior.
--operation-type {read}, -o {read}
Type of Barbican operation ACL is set for

21.8. barbican ca get
Copy link

usage: barbican ca get [-h] [-f {html,json,json,shell,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--prefix PREFIX] URI
Copy to Clipboard Toggle word wrap
Retrieve a CA by providing its URI.

Positional arguments

URI
The URI reference for the CA.

Optional arguments

-h, --help
show this help message and exit

21.9. barbican ca list
Copy link

usage: barbican ca list [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET] [--name NAME]
Copy to Clipboard Toggle word wrap
List cas.

Optional arguments

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)
--name NAME, -n NAME
specify the secret name (default: None)

21.10. barbican secret container create
Copy link

usage: barbican secret container create [-h] [-f {html,json,json,shell,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--prefix PREFIX] [--name NAME] [--type TYPE] [--secret SECRET]
Copy to Clipboard Toggle word wrap
Store a container in Barbican.

Optional arguments

-h, --help
show this help message and exit
--name NAME, -n NAME
a human-friendly name.
--type TYPE
type of container to create (default: generic).
--secret SECRET, -s SECRET
one secret to store in a container (can be set multiple times). Example: --secret "private_key=https://url.test/v1/secrets/1-2-3-4"

21.11. barbican secret container delete
Copy link

usage: barbican secret container delete [-h] URI
Copy to Clipboard Toggle word wrap
Delete a container by providing its href.

Positional arguments

URI
The URI reference for the container

Optional arguments

-h, --help
show this help message and exit

21.12. barbican secret container get
Copy link

usage: barbican secret container get [-h] [-f {html,json,json,shell,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--prefix PREFIX] URI
Copy to Clipboard Toggle word wrap
Retrieve a container by providing its URI.

Positional arguments

URI
The URI reference for the container.

Optional arguments

-h, --help
show this help message and exit

21.13. barbican secret container list
Copy link

usage: barbican secret container list [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET] [--name NAME] [--type TYPE]
Copy to Clipboard Toggle word wrap
List containers.

Optional arguments

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)
--name NAME, -n NAME
specify the container name (default: None)
--type TYPE, -t TYPE
specify the type filter for the list (default: None).

21.14. barbican secret delete
Copy link

usage: barbican secret delete [-h] URI
Copy to Clipboard Toggle word wrap
Delete a secret by providing its URI.

Positional arguments

URI
The URI reference for the secret

Optional arguments

-h, --help
show this help message and exit

21.15. barbican secret get
Copy link

usage: barbican secret get [-h] [-f {html,json,json,shell,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--prefix PREFIX] [--decrypt] [--payload] [--payload_content_type PAYLOAD_CONTENT_TYPE] URI
Copy to Clipboard Toggle word wrap
Retrieve a secret by providing its URI.

Positional arguments

URI
The URI reference for the secret.

Optional arguments

-h, --help
show this help message and exit
--decrypt, -d
if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type.
--payload, -p
if specified, retrieve the unencrypted secret data; the data type can be specified with --payload-content- type. If the user wishes to only retrieve the value of the payload they must add "-f value" to format returning only the value of the payload
--payload_content_type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the content type of the decrypted secret (default: text/plain.

21.16. barbican secret list
Copy link

usage: barbican secret list [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET] [--name NAME] [--algorithm ALGORITHM] [--bit-length BIT_LENGTH] [--mode MODE]
Copy to Clipboard Toggle word wrap
List secrets.

Optional arguments

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)
--name NAME, -n NAME
specify the secret name (default: None)
--algorithm ALGORITHM, -a ALGORITHM
the algorithm filter for the list(default: None).
--bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length filter for the list (default: 0).
--mode MODE, -m MODE
the algorithm mode filter for the list (default: None).

21.17. barbican secret order create
Copy link

usage: barbican secret order create [-h] [-f {html,json,json,shell,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--prefix PREFIX] [--name NAME] [--algorithm ALGORITHM] [--bit-length BIT_LENGTH] [--mode MODE] [--payload-content-type PAYLOAD_CONTENT_TYPE] [--expiration EXPIRATION] [--request-type REQUEST_TYPE] [--subject-dn SUBJECT_DN] [--source-container-ref SOURCE_CONTAINER_REF] [--ca-id CA_ID] [--profile PROFILE] [--request-file REQUEST_FILE] type
Copy to Clipboard Toggle word wrap
Create a new order.

Positional arguments

type
the type of the order to create.

Optional arguments

-h, --help
show this help message and exit
--name NAME, -n NAME
a human-friendly name.
--algorithm ALGORITHM, -a ALGORITHM
the algorithm to be used with the requested key (default: aes).
--bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length of the requested secret key (default: 256).
--mode MODE, -m MODE
the algorithm mode to be used with the requested key (default: cbc).
--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the type/format of the secret to be generated (default: application/octet-stream).
--expiration EXPIRATION, -x EXPIRATION
the expiration time for the secret in ISO 8601 format.
--request-type REQUEST_TYPE
the type of the certificate request.
--subject-dn SUBJECT_DN
the subject of the certificate.
--source-container-ref SOURCE_CONTAINER_REF
the source of the certificate when using stored-key requests.
--ca-id CA_ID
the identifier of the CA to use for the certificate request.
--profile PROFILE
the profile of certificate to use.
--request-file REQUEST_FILE
the file containing the CSR.

21.18. barbican secret order delete
Copy link

usage: barbican secret order delete [-h] URI
Copy to Clipboard Toggle word wrap
Delete an order by providing its href.

Positional arguments

URI
The URI reference for the order

Optional arguments

-h, --help
show this help message and exit

21.19. barbican secret order get
Copy link

usage: barbican secret order get [-h] [-f {html,json,json,shell,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--prefix PREFIX] URI
Copy to Clipboard Toggle word wrap
Retrieve an order by providing its URI.

Positional arguments

URI
The URI reference order.

Optional arguments

-h, --help
show this help message and exit

21.20. barbican secret order list
Copy link

usage: barbican secret order list [-h] [-f {csv,html,json,json,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--quote {all,minimal,none,nonnumeric}] [--limit LIMIT] [--offset OFFSET]
Copy to Clipboard Toggle word wrap
List orders.

Optional arguments

-h, --help
show this help message and exit
--limit LIMIT, -l LIMIT
specify the limit to the number of items to list per page (default: 10; maximum: 100)
--offset OFFSET, -o OFFSET
specify the page offset (default: 0)

21.21. barbican secret store
Copy link

usage: barbican secret store [-h] [-f {html,json,json,shell,table,value,yaml,yaml}] [-c COLUMN] [--max-width <integer>] [--noindent] [--prefix PREFIX] [--name NAME] [--payload PAYLOAD] [--secret-type SECRET_TYPE] [--payload-content-type PAYLOAD_CONTENT_TYPE] [--payload-content-encoding PAYLOAD_CONTENT_ENCODING] [--algorithm ALGORITHM] [--bit-length BIT_LENGTH] [--mode MODE] [--expiration EXPIRATION]
Copy to Clipboard Toggle word wrap
Store a secret in Barbican.

Optional arguments

-h, --help
show this help message and exit
--name NAME, -n NAME
a human-friendly name.
--payload PAYLOAD, -p PAYLOAD
the unencrypted secret; if provided, you must also provide a payload_content_type
--secret-type SECRET_TYPE, -s SECRET_TYPE
the secret type; must be one of symmetric, public, private, certificate, passphrase, opaque (default)
--payload-content-type PAYLOAD_CONTENT_TYPE, -t PAYLOAD_CONTENT_TYPE
the type/format of the provided secret data; "text/plain" is assumed to be UTF-8; required when --payload is supplied.
--payload-content-encoding PAYLOAD_CONTENT_ENCODING, -e PAYLOAD_CONTENT_ENCODING
required if --payload-content-type is "application /octet-stream".
--algorithm ALGORITHM, -a ALGORITHM
the algorithm (default: aes).
--bit-length BIT_LENGTH, -b BIT_LENGTH
the bit length (default: 256).
--mode MODE, -m MODE
the algorithm mode; used only for reference (default: cbc)
--expiration EXPIRATION, -x EXPIRATION
the expiration time for the secret in ISO 8601 format.

21.22. barbican secret update
Copy link

usage: barbican secret update [-h] URI payload
Copy to Clipboard Toggle word wrap
Update a secret with no payload in Barbican.

Positional arguments

URI
The URI reference for the secret.
payload
the unencrypted secret

Optional arguments

-h, --help
show this help message and exit
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat